Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Friday, May 22, 2009

The long weekend is almost here, and before you take off this Friday I wanted to let you know I'll be speaking at the ISACA eSymposium titled "Web Application Security: Intelligent Choices" on Tuesday!

You can register for the event here, and I've included a synopsis from my talk below - hey, those CISSPs out there can even earn 3 CPE credits for taking a small quiz after!

What better way to spend the day after a long weekend than listening to myself, Rich Mogull, Michael Shema, and Michael Sutton talk about making intelligent choices in building a web application security program?

In today's enterprise, Web Application Security has come front and center for security managers as well as the business. However, many well-funded, well-backed programs fail, because they miss the fundamental rule of problem solving -- understand the problem. The secret to success is simple -- understand your business context and build a program around that. How can you develop an actionable, business risk-driven program? Understanding your role is key, followed by successful identification of a cornerstone upon which to base the program. This presentation will teach you how to evaluate data value, application visibility and business exposure one step at-a-time and assign real, measurable risk. Participants will be given a strong foundation to succeed, so they don't end up solving problems the business doesn't have.

Hope to see you on there! I'll be posting slides from the talk on Wednesday, to the usual SlideShare.net place! I'd love to hear your questions and comments after the talk.

This post is a follow-up to my previous post called "FireFox Plug-In Design Flaw Yields ffspy PoC"; and yes, another "{click|side|extension|whatever}-jacking" phrase comes at you. Not that I particularly like the idea of having a browser extension "jacked" but if you think about it carefully, as I have been for the last several hours, the whole point is essentially m00t. One of the folks who read this previously and commented, Steve Pinkham, had an interesting point - sadly I have to say that when I got caught up in the sheer pandelerium of this fun new exploit, I didn't really think about the bigger picture...

"I agree, this isn't really novel.It's an interesting POC, but if I have local access to your file system, there's tons easy ways to own you...

We just don't have systems that were designed to stand up to local access, case closed. An attacker could just as easily modify one of firefoxs own executables or libraries, your proxy settings, etc..."

So to Steve, thanks for setting me straight - and now with the "Big Picture" in mind I'm writing this as a 49,998ft view of the whole mess.

Let's think about this logically, since there are many things at play here. First off there's the use of XUL by FireFox for things like an extension manifest... which allows for arbitrary script tags! Granted most of the .xul files I first-hand witnessed were "chrome://xxxxx" but it could have just as easily been 'https://malicious.tld/malicious.js" or something of that nature. To say that this is a bad way of doing it is an understatement -but what's the real issue? The real issue is that Mozilla went for simplicity, speed, and extensibility over security - an obvious choice many times over. Next, let's look at the amount of effort it would take to somehow change this mechanism... Even if Mozilla did decide to change the way extensions function and MD5sum that file, and store it somewhere... or whatever they did - it would automatically break every since extension immediately... granted that Mozilla developers are famous for beaking extensions from version to version (even on minor revs??!!) but this would anger more than just a few people.

Next, let's think about the problem in a macro-chosm of nastiness on the web. We are taught not to trust the web, or anything that comes from a source you don't explicitly trust. But how do we know what to trust? I personally have at least 5 extensions in my FireFox browser that I never even pretended to look at the source code for. Are they stealing key strokes, logging my bank passwords?... who knows! The problem is that they pop up like mushrooms after a spring rain - and no one's realistically going to review them all... certainly not the Mozilla folks.

Perhaps the most hard-to-swallow design flaw with plugins is that they have access to the raw browser's stream... before it hits the encryption routines. This effectively means that not only does a plug-in have access to keystrokes, URLs, full-text of your POSTs but it has access to all that pre-encryption onto the SSL stream. Talk about game over!

In the final analysis, at least for me, it doesn't really matter that FireFox chooses to use XUL, which allows for an arbitrary script tag in extension manifest file... although that is a seriously neat trick. What really matters is that the attack surface of FireFox is laid bare through the plug-in/extension architecture which in my humble opinion is fundamentally flawed from a security perspective. It doesn't matter if we sign/encrypt/check-recheck that manifest file for a maliciously injected script src="http://malicious.tld/malicious.js" ... the browser is hosed anyway, long before that.

I'm hoping that this sparks the Mozilla folks to re-examine their architecture and seriously re-design their plugin/extension interface... I offer my humble support should it be requested.

Wednesday, May 20, 2009

It's happened, my faith in FireFox and plug-ins has been totally shattered, for real this time. I knew the day would come soon... but I'm still sad.

I read this brilliantly simple blog post where Duarte Silva, on his myf00 blog, basically trojaned a legitimate Mozilla "extension" (add-on) to make it do evil, evil things. He calls his creation "ffspy", how fitting given that it steals your HTTP POSTs. The scary thing about this - that legitimate extension was NoScript. Even more impressive is Duarte's mastery of JavaScript-foo...

It's not a bug or vulnerability in NoScript, by any means, but rather a design flaw in the way plug-ins work in general...

"You can infect one of the installed add-ons, because Firefox isn’t able to verify if an add-on is compromised or not. To do that you only need to edit the file that defines the overlay." --D. Silva

And he's totally correct - there really isn't a nice design mechanism to do this, at the present time. A suggestion I would have is this... when a plug-in is installed, make sure you validate that the .XUL file has a valid MD5sum (or whatever you want to hash it with). Once it's installed that hash needs to be stored inside FireFox's internal guts so someone can't just modify it... maybe in a binary format or something?

Anyway... his article is well worth the read - and just continues to draw a bleak picture of security in the browsers... as I've been saying all along.

Tuesday, May 19, 2009

During Monday's CSI/SX Web 2.0 Security Summit our panel moderator Jeremiah Grossman said something that resonated with me. Just as I was talking through my slides and verbalizing my confusion with Google Chrome's "Task Manager", he asked if Chrome is less browser and more platform... interesting question!

Interestingly enough as I sent this to a colleage, Tyler Reguly, he pointed out that this topic had been talked about significantly before - without really very many answers... and certainly not well-conversed in security circles.

What's Google's intent here, one may ask? While I can't speak for Google or the Chrome development team I can speculate that it appears as though there is some greater purpose for Chrome in the maybe not-too-distant future.

Allow me to draw a parallel with something most of you will be familiar with - Microsoft NT v4.0. Before you start laughing consider this - the same way that Windows NT4 was sold as "stable"... Chrome is being sold now (see explanation here.) If one of the Chrome tabs or windows becomes compromised, it is still process-isolated from the other tabs/windows and can be closed without impact to them. Interestingly enough, if I recall correctly Microsoft's literature read almost verbatim.

What I want to know is... have browser makers crossed over that threshold from simple "web code sandbox" into something more? Are browser makers now starting to see the browser as a platform, onto which other features will be built? This seems rather logical given the fact that browers have become so complex that they are in themselves a layer of abstraction, between the portable code off the web and the machine they run on. I mean, look at FireFox! FireFox has a rich plug-in architecture that allows development of programs on top of FireFox. The problem with that architecture is that the plug-ins and the core browser functionality are not logically separate, which leads to a massive new attack surface and a condition where a single mischievous plug-in can completely compromise the security of the web application and the user, but I digress.

The question is - does having a feature like a task manager make Google Chrome something more than a simple web browser? Does having features that resemble operating system features from back when operating systems were maturing necessitate a new label... or am I simply over-thinking this "feature"?

Monday, May 18, 2009

Hi all, ahead of my talk at the CSI/SX 2009 event I wanted to post my slides for you. It's a short deck that does much better, I think, in person than what the slides show - but I hope it conveys my point. Essentially - it's a rant against the really crappy state of web browser security.

I'll post a text version of this hopefully soon, maybe I'll write it on the plane ride home tomorrow - but for now, here are the slides! As always - feedback is welcome.

Thursday, May 14, 2009

Social Engineering - Lesson #1, make sure you only pay your waiter! Although this guy was clearly good at playing the disguise the restaurant patrons are just as much at fault for being clueless and not paying attention! Interesting read...

VISA's Latest Anti-Fraud - The Europeans have figure out credit card fraud pretty well, and are way ahead of us Americans unfortunately - and here's another example. VISA is now introducing a card that goes beyond chip-and-pin with a built-in computer and keypad on the card itself to combat card-not-present fraud. I hope we get them in the 'States before I turn 50... hope they fit well into the wallet?

Apple's "Big Fix" - Apple released fixes for, get this, 68 security issues. I guess all those ads about Macs "not getting viruses, crashing, ..." are just as full of crap as the rest of the Mac vs. PC war. I think it's time to add up the public vulnerability data for Microsoft and Apple for the year again...

Minnesota's Capitol "Seriously Vulnerable" - Here's a shocker... Minnesota's Legislative Auditor (who?) released a report that basically said that Capital security was crap. I'm partial to the security doors that were installed... I love random acts of useless security, don't you?

Adobe's Security Woes - ...and last but certainly not least, in case you've been living in a cave with no Internet, Adobe fixed yet another round of PDF problems recently. Link to the entire slew of advirosies included above... can't wait for the next round.

Have you ever wanted to feel what it's really like to actually compromise a system?

Odds are you've wanted to sharpen your skills, learn to actually hack but just don't have the time, the knowledge or an exploitable target that won't land you in jail. That's all behind you now... welcome to LAMPSecurity.org's Capture the Flag exercise #5.

LAMPSecurity's exercise

"...designed to educate system administrators and developers on some common dangers and mis-configurations facing Linux,Apache,MySQL, PHP (LAMP) applications."

The great news here is that this is all 100% documented with step-by-step instructions, including the tools you'll need and all the coaching you can stand, all in one handy package. Justin Keane and the folks over at www.LAMPSecurity.org are doing a phenomenal job of bringing these special images to you- so by all means go and use them to your advantage! The only thing you'll need is VMWare player, some time, and your creativity!

Academia is in serious trouble, and it appears quite clear that universities are faring much worse than other school systems. The question everyone asks is "why?" and while the answer may be quite simple to those of us who have some inside information to how the higher education networks function I felt it prudent to briefly explain the situation and the circumstances leading to this crisis.

Institutions of higher education, colleges and universities, are under much greater pressures from attackers than are most other educational institutions for a very specific, yet painfully obvious, reason - openness. Colleges and universities typically have a mandate that the flow of information and ideas through their networks be unrestricted. What's worse, in a university setting each department is a silo... doing as they please and standing up servers, applications and web sites to their hearts' content without really asking permission or following any protocol. Given all that it's simple to see why the security teams at universities and colleges have a very unenviable position.

Bracing for the worst from the hackers is one thing when you have a reasonably cooperative organization where security is taken (at least somewhat) seriously. Higher education tends to take security as an afterthought (if at all), from what I've seen, and the folks trying to push the security agenda are rarely heard. This creates a double-whammy for the security folks in academia. On one hand, you can't lay down the law and lock down your environment in the name of education and openness, on the other hand there are websites popping up and data being stored all over the place without your knowledge. This is a hacker's dream right?

How does someone working an academic environment wraught with adversity like this succeed in protecting the precious information which patrons entrust them with? There aren't any simple answers here. Perhaps a grass-roots change in mentality and beliefs is in order. Perhaps rather than taking blame as a whole, the universities should single out specific people or persons who were directly responsible for the conditions leading up to the breach/hack? Would that type of accountability change the minds of careless department heads who choose ignore security? I'm not sure I believe that, but it's a good start.

As I've preached before, a sound policy is the key to a secure environment. A policy not only should lay out the guidelines for what should be done but also make clear the consequences of failing to comply with the policy. From experience, it's this last bit that eludes many organizations - and not just higher education. It's tough to get an organization behind the idea of punnishing people who break the rules, particularly in an academic environment where the culprits are intellectuals (heaven forbid we give them rules to live by) but it must be done lest we continue to see news stories about these types of data breaches in an ever-increasing rate.

Looking beyond the hack method, focusing on the motivation is often a good way to understand why attacks occur and how to prevent them. In the case of schools and universities there are mutiple possible reasonings for attack. First - students typically start with a clean slate when they enter college. If an attacker can collect enough information to create a fraudulent account in a student's name they have a better chance of no one noticing for a while... until that student actually investigates their credit. This brings me to a second point - credit responsibility. I've known many friends who went through college collecting credit cards like baseball cards and spending on plastic without regard for tomorrow. If a card theif managed to set up a line of credit in their names these folks likely wouldn't notice for quite some time, and it would be hard to analyze their spending patterns to identify a fraudulent purchase against their usual spending madness.

On top of all that, schools typically collect massive amounts of information about students and staff for various reasons. A typical university will know your name, address, phone number and all personal information, along with your grades, affiliations and all academically relevant information. In addition to that, if you've ever applied for a grant or loan they'll have that information too which includes credit history, social security number and other goodies. Worse, if you've ever been injured on campus or had the sniffles your medical records are on file as well. Pretty much all of your academic-related life is on file with your college or university - and they're doing an incredibly poor job of securing that information today, judging by the news headlines.

Some simple suggestions for basic protection, while often ignored, should be heeded:

Collect and store only the information absolutely needed and no more

Encrypt personal and private information from students and faculty

Centralize sensitive data stores and do not distribute this information throughout the school

Destroy (digitally shred) digital information after a defined retention period

Monday, May 11, 2009

With all the focus on "usable security" lately I've been going insane trying to figure out how to get products to actually be useful for the common user. I was relatively sure that Kaspersky had things figured out, at least reasonably well, until this happened today. I can't explain it - I don't know what this "unknown application" is (my guess is that installing VMWare 6.5 somehow triggered this) but I do know I really wish there was a terminate process (or at least a DENY button). What am I supposed to click?

Is anyone from Kaspersky reading this? Can you tell me what the hell this is and what I should be doing about it? How do I investigate the root-cause? What if this really IS a keylogger?!

Saturday, May 9, 2009

Special thanks to Don from ChicagoCon for having me... I had a great time with the workshop. We had a mostly packed room and we truly found some scary Flash files out on the real internet out there.

Congrats to Samantha, John and Raffy for some of the great contributions to our "scavenger hunt" - you guys found some absolutely insane vulnerabilities in public web sites.

As you all saw, it's one thing to stand up in front of you and preach and lecture on web vulnerabilities and stupidities in Flash... but it's an entirely different thing for you to go out there and show you how to do it yourself.

I hope you all enjoyed the workshop as much as I enjoyed those 3+ hours we spent together. I'd love to hear any thoughts on how you'll be taking that new knowledge back to your employer, if you're willing to share.

Tuesday, May 5, 2009

A Wall Street Journal (WSJ) article the other day went in our ear and then out the other for me, at first read. Then I was flipping channels in my hotel room and stopped on Dave Ramsey on Fox talking about it... and something struck me. That something is the fine point most folks don't understand about how a debit card differs from a credit card. When you use your debit card with your PIN you effectively make the transaction as if it was a cash transaction. This means the money leaves your account pseudo-immediately...and unlike a credit card there isn't that nice period for you to contest the charge.

Also - when you use your debit cardwith your PIN, that PIN has to be stored somewhere for batch processing (don't even get me started on why banking isn't real-time yet... see previous article). Herein lies the problem and the issue I am seeing with this VISA-demonstrated trend. Most people don't know to not use their debit card with their PIN... and to use it as a credit card. There is a massive difference in how things get processed, yes - but the main difference is your precious PIN.

Consider the role the compliance plays today, when a good chunk of people are still using their credit cards as forms of payment. Compliance is important because it causes you pain if you get your card information stolen and used... but ultimately it's not so bad because your money doesn't immediately disappear from, say, your bank account. If you start using your debit card plus PIN, and someone breaches a merchant you trusted with your information - your money disappears from your bank immediately. Are you ready for that? Sure, there is still the "Zero fraud liability" if you use VISA (for example) - but that's only if you use the card as a credit card.

There's a bigger picture when you zoom out from all the statistics and cost figures and trends of debit vs. credit. At the end of the day - if people start to use their card more as a debit card compliance (most notably PCI Compliance) goes from critical to possibly catastrophic!

Please, if you don't already know this... use your debit card as a credit card... avoid inputting your PIN at all cost. Tell your friends, family and anyone you care for.

I haven’t gone on a good rant lately – but it’s high time I let it out because it’s been building like the tension in the Ferrari F1 team.I’ve been keeping a steady eye on the marketing efforts around “security stuff” as the economy has been tanking and I’d like to share with you some observations.

Perhaps in a stable economy, one where we’re not spending our great-great-great-grandchildren’s savings, these observations wouldn’t make me so nuts… but in light of corporate spending habits in such a climate I feel the need to call out these ridiculous happenings.

The crescendo of my madness was earlier today when I walked, errr…hobbled, through Chicago’s O’Hare International Airport slow enough to actually look at some of the signage and billboards.I came up the escalator in Terminal 1 to be greeted by a WatchGuard Firebox ad and immediately I stopped and took note; then I took a picture just so I can have proof of this insanity.After getting through security I was greeted overhead by a giant big-screen style video board running ads for none other than Symantec.Symantec’s ad was a little less upsetting – and unfortunately I couldn’t get a good picture of it in spite of my efforts.

The Symantec ad basically said this … “We protect more corporations, systems and users than anyone else in the world”.I then had a quick flashback to the last 3 big companies I worked at.Not surprisingly Symantec’s logo was all over each one.From dysfunctional desktop firewall/antivirus/anti-malware to a SIM, to some backup software – Symantec was everywhere.I then recalled how much we all (in IT Security) complained that the products were crap and we could barely make it do what we needed it to do, much less what the sales guys had convinced our management it would do.OK so fair enough – for better or for worse, Symantec had protected (or secured if you really stretch the meaning) each one of those enterprises.

Now let me take a minute to address WatchGuard’s “Complete Network Security In One Box” slogan in those big white letters.First off, to you and I the insertion of the word network in that slogan means that it doesn’t actually protect against anything that doesn’t attack at the network layer.The average business-person, however, does not quite see that subtle distinction.They see the WatchGuard ad, and see that they can solve the “hacker problem” by plugging this box in… and nothing else.How do I know this for such a fact?I stood there for a few minutes and asked some random people in business suits.I realize this isn’t a scientific poll – but it’s what I had to work with.Perhaps I’ll make this a little more scientific in the near future if you readers think you want to read more.

Let me get to the point of my rant here for the sake of keeping this relatively brief – I hate few things more than when a vendor sells magic pixie dust.I personally haven’t picked up a FireBox since about spring ’00 when I was working as a consultant and we replaced a few at some SMBs.Not that I personally have anything against the FireBox because I do think that any UTM Firewall is as crappy as the next, but this type of advertising makes me mad as a hatter.I realize full-well that in a contracting economy vendors scrap for as much business as possible, and business is business, but please stop over-selling your products.Also, please realize that the way you advertise impacts not just your business but the entire industry … often negatively.What that WatchGuard ad says to the unsuspecting business owner is “Hey, buy this box and forget about security” – which simply isn’t true!Businesses have web applications, random portable user devices (iPods, etc), and a plethora of other threats that these UTM Firewall boxes simply don’t address.To insinuate that your product is the magic security pixie dust is irresponsible, and actually does more harm than good.…and don’t give me that “But we’re being honest and saying we only cover network security” crap… you know who you’re targeting here and know damn well that your target audience doesn’t understand the difference.And this isn’t just a rant against WatchGuard because their ad was just the latest that caught my attention… this goes for all of your marketing teams that have that stupid “Security. Solved” mentality to your ads – you know who you are.

As a call to action, I urge everyone that sees one of these irresponsible ads – take a picture, post it somewhere… call them out.If we as security professionals continue to allow this madness to seep into our industry – our already confusing talks with business leaders will be even more confusing when we have to tell them their magic red box does nothing to keep their credit card database safe… and that’s not just bad for us – it’s bad for business, period.

Monday, May 4, 2009

This is officially my new favorite error message from Windows. Found this one today while booting up... someone want to explain to me which option I should be picking given this is a production system?

Friday, May 1, 2009

As you may have noticed - people have stopped talking about firewalls. Of course, it could be because they've effectively become a commodity item and there aren't many differences in them anymore... at least none that make you go "Wow, that's cool!" -that is until one day you look and you have several hundred of them because they've multiplied like rabbits.

The problem with firewalls is that there aren't just a few in most environments. Just about every company I've ever worked for started out with 1 or two firewalls at the perimeter and over time that number grew proportionately to the company (we hoped) until at one point there were 2-3 firewall guys managing upwards of 400 firewalls... manually. If you can't guess that made for one hell of a management nightmare, even if you were using something as pretty as a CheckPoint's Provider-1 infrastructure. So now there's this big problem - because even if you can comprehend what's going on with all these different firewalls the complexity of it all will make you mad.

The problem is this... today's enterprises aren't just simple one-point entry into their network... there are often dozens and potentially hundreds if not thousands of ways into a company's network through which the bad things get in, and make a mess of things. This is where I think this tool I was introduced to will help, and thus I share it with you.

Some time back I was approached by folks from Secure Passage, to ask me what I thought of their product, Firemon. I have to say that I was quite skeptical (as I typically am) when it comes to reviewing a product that deals with technology that should have been figure out last decade... but I gave it a shot. I have to say, I was quite impressed by all the problems Firemon was solving that I honestly didn't even realize there were solutions to. It's odd how we take complexity for granted and simple tell ourselves we just need to deal with it as part of the technological sprawl that plagues us all.

Work with me here... wouldn't it be just awesome if you could have one interface to tell you if one of your off-shore firewall admins just accidentally created a rule that's about to be pushed out that will wreak havok on your network... and page you to let you know? Wouldn't it also rock to be able to pull in every firewall rule you have, across every firewall you have... and see where you have overlaps, redundancies and rules that you aren't even using anymore? Yes, Firemon does that... and many, many things more.

Of course, I didn't take their word for it... and I quite think I may have annoyed them when I kept asking questions and insisting on seeing an actual demo to see the thing working... granted I wasn't going to be buying anything so doing a full-scale presentation and demo to me may have been a waste of their time but I'm glad they took it. I'm convinced this is one of the better tools out there to manage the firewalls that multiply like bunnies in your environments. Before I start to sound too much like I'm trying to sell you on these guys... I'll simply urge you to check it out for yourself if this even remotely sounds like something you need help with in your environment. As for me, I wish I had found these guys about 5 years ago when we have 375+ firewalls (mostly CheckPoint, Cisco and NetScreens) across a massive Class-B network connecting partners, vendors, customers, and our network endpoints... because I can promise that it would have saved me and my fellow engineers (you know who you are) a lot of late nights.

They have a screencast set up and readily available ... Click here to check it out.

[Disclaimer: I'm not getting paid to write this, nor do I have *any* stake in Secure Passage]

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.